[lxc-users] Disable lxc-attach

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jan 12 14:15:39 UTC 2015 

Please stop discussing this here.  Aside from the fact that your goal is
insulting to your users and anathema to open source, containers can not
help you with your goal.  Users always have been able to, as root on the
host, ptrace-attach to your task.  Options like disabling the pidns (which
Vijay was suggesting) or using a custom LSM require you to prevent the
user from running a custom kernel.

Perhaps you really want to sell your software on a little usb-disk-sized
mini-processor talking to the user's computer over usb3.  That would be
more platform-independent, safer for you, and safer for the user, and
given the value you place on your software should be worth the cost.

Quoting Claudio Cesar Sanchez Tejeda (demonccc.y at gmail.com):
> Thanks!
> 
> But... how can I remove the pid of the namespace?
> 
> What functionalities are we going to lose by removing the pid?
> 
> Regards.
> 
> On Fri, Jan 9, 2015 at 9:02 PM, Vijay Viswanathan <vijay.vishy at gmail.com> wrote:
> > There is no straight forward way.
> >
> > There is one hack with some functionality sacrifice.
> > You could remove the pid namespace and start your container and
> > lxc-attach will break.
> >
> > lxc-attach: No such file or directory - failed to open '/proc/4579/ns/pid'
> > lxc-attach: failed to enter the namespace
> >
> >
> >
> > On Tue, Jan 6, 2015 at 11:15 AM, Claudio Cesar Sanchez Tejeda
> > <demonccc.y at gmail.com> wrote:
> >> Hi,
> >>
> >> Does someone know how I can disable the lxc-attach command / functionality?
> >>
> >> I wan't to create a complete isolated LXC container, and I don't want
> >> that someone could start processes or enter to the container using a
> >> shell (or run commands).
> >>
> >> Regards.
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list